Hey folks! If you're at KubeCon EU this morning, drop by our booth and say hello!

is there a way to change the URN created by resources in a helm chart? like give it a prefix or something?

adding to the ^question, the only problem i have with resources is the CRD the helm charts creates, helm v3 supports

skip-crds

flag, is there a way to pass this to the pulumi helm object?

Is it possible to organise stacks in a subfolder?

I have an infrastructure project for several Kubernetes clusters and I'm concerned about there being so many Pulumi stack config files at the top level

Because I have a stack-per-cluster

@powerful-planet-88446 absolutely, check out: https://www.pulumi.com/docs/guides/organizing-projects-stacks/. If you are worried about access control as well to those projects and stacks you should check out the following features in the pulumi service: https://www.pulumi.com/docs/intro/pulumi-service/teams/ & https://www.pulumi.com/docs/intro/pulumi-service/projects-and-stacks/#stack-permissions

Hi, We are just getting started using Pulumi in our organisation. We are using Python as we are a Python shop for our main applications. We have got Pulumi creating an eks cluser using pulumi-eks, now we are trying to get it to actually deploy something to the cluster. We are following https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/eks/ modifying the code as that is in JavaScript/TypeScript, however it I'm having problems when specifying the cluster The example has:

{
        provider: cluster.provider,
}

as the third parameter(opts), I tried converting this to Python as:

opts=pulumi.ResourceOptions(provider=cluster.provider),

However my IDE complains about it being the wrong type (Output[Provider] instead of ProviderResource) and when running

pulumi up

, I get:

ValueError: Attempted to register resource kubernetes:apps/v1:Deployment with a provider for '<pulumi.output.Output object at 0x7f695f68c5d0>'
    error: an unhandled error occurred: Program exited with non-zero exit code: 1

Any idea of what I am doing wrong or how I can fix this?

hi folks, I’m looking to test a pulumi k8s setup as part of CI before actually deploying to production has anyone tried out https://github.com/helm/kind-action or https://github.com/marketplace/actions/setup-minikube ?

https://docs.datadoghq.com/agent/kubernetes/control_plane/?tab=helm#EKS datadog recommends adding annotations to default/kubernetes service so API server metrics are collected with pulumi, I can’t seem to find a way to GetService, but even so I remember that all of the attributes are read only and I can’t seem to find a way to specify this customization in the

eks.Cluster

resource ideas?

I am trying to replicate what the

pulumi-eks

package does in golang but I appear to get an error. I'm trying to update the configmap for

aws-auth

. In the nodejs/eks version it does this

const eksNodeAccess = new k8s.core.v1.ConfigMap(`${name}-nodeAccess`, {
        apiVersion: "v1",
        metadata: {
            name: `aws-auth`,
            namespace: "kube-system",
        },
        data: nodeAccessData,
    }, { parent, provider: k8sProvider });

Which appears to work by actually altering the configmap. However in golang when I try do the same I get an error

_, err = corev1.NewConfigMap(ctx, "aws-auth", &corev1.ConfigMapArgs{
			Metadata: &metav1.ObjectMetaArgs{
				Name: pulumi.String("aws-auth"),
				Namespace: pulumi.String("kube-system"),
			},
			Data:       pulumi.StringMap{
				"mapRoles": roleConfig,
			},
		}, pulumi.Provider(kubeProvider))

The error is

resource kube-system/aws-auth was not successfully created by the Kubernetes API server : configmaps "aws-auth" already exists

How does the node version manage to do it whilst the go version can't?

I'm trying to build out an EKS project in go, and I'm having some issues with credentials and providers. Wondering if anyone has tried this particular scenario yet. We have a Hashicorp Vault AWS credential backend already configured for this account. SO - I have pulumi grabbing some AWS credentials from Vault, building an AWS provider, and then using that for all of my AWS resources. This works well for most things (VPC created already, etc.) But, when I use pulumi-eks to build an EKS cluster with this provider, it fails to validate that the cluster is running. From the error messages, it appear that the pulumi operator (which is running this code), is trying to use its own credentials to access the cluster afterwards. SO, I think there's some issue with the Kubernetes provider that gets generated not using the AWS provider credentials that I used to create the cluster. At this point, I have no clue how to get around this, other than to not use the pulumi-eks library, and instead build out the cluster and node groups, etc. myself using the "standard" aws library. This would allow me to control the K8s provider that gets generated and the aws-auth configmap myself (I think) Am I missing something, or is that the correct path forward here? Also, let me know if I should post this in AWS or Go instead

Anyone have good patterns around getting AWS credentials into a K8s cluster?

I could obviously set them as secrets in the configfile, but was wondering if there was a way to grab them out of my local credentials file?

Is it for the aws account that your cluster is in? You could use IRSA or kube2iam to assume roles instead

More fun with pulumi-eks and the pulumi-kubernetes-operator -

Unable to connect to the server: getting credentials: exec plugin is configured to use API version <http://client.authentication.k8s.io/v1beta1|client.authentication.k8s.io/v1beta1>, plugin returned version <http://client.authentication.k8s.io/v1alpha1|client.authentication.k8s.io/v1alpha1>

I was able to fix this error locally by updating to a newer version of the awscli. I can't seem to find where this is defined for the pulumi containers. Any thoughts on a workaround, and/or should I file an issue somewhere for this?

Hi all, I'm trying to use the v3.Chart resource. However I'm running into an issue that I can't seem to replicate

--set-file

, used for a template that that replaces a value with the file's contents. If I 1) use a json object as the value, it blows up with

wrong type for value; expected string; got []interface {}

. If I try to pass a yaml string literal, pulumi helpfully escapes all the newlines so that doesn't work either. So wondering if anyone knows of a way to duplicate whatever helm template --set-file does.

Does anyone know why “health” checking is implicitly part of the “create” lifecycle for k8s objects? If health fails, it thinks that create fails, and the object doesn’t get stored in state. Subsequent runs fail with “already exists” error from kubernetes. I filed an issue: https://github.com/pulumi/pulumi-kubernetes/issues/1994 I think this is a fairly high priority / common use case.

Hey there! Posting my questions here because I think they are most relevant here, but if I should move this to another channel that's better suited, then let me know. I am building a component resource provider, in Go, for easily deploying my company’s platform, which is a cloud environment, such as a VPC and EKS cluster, with a suite of open-source tools that gets deployed to Kubernetes. I’ve ran into a dilemma and I’m not sure how to proceed. I’m trying to make use of the Kubernetes provider’s “CustomResource” resource in order to configure an ArgoCD application custom resource. I’ve hit a snag with that "CustomResource" resource type because one of its arguments doesn't implement Pulumi types, specifically the

OtherFields

field, ref. Because of that, I can’t pass it a Pulumi type for a value. This is an issue for me because my custom resource needs to support resource dependencies for a

dependsOn

to work, but as far as I know Pulumi’s provider type checking requires that fields implement Pulumi types if a resource is to have dependencies. Implementing plain types when my provider’s resource has a

dependsOn

results in an error like the following:

error: program failed: waiting for RPCs: rpc error: code = Unknown desc = setting args: copying input "spec": application.ArgocdAppArgs.Spec is typed as map[string]interface {} but must be a type that implements pulumi.Input or pulumi.Output for input with dependencies

Which seems to originate from here: https://github.com/pulumi/pulumi/blob/master/sdk/go/pulumi/provider.go#L564. Which seems odd that this is even a problem, because my dependency is simply a

dependsOn

, not an actual field dependency. So with all of that backstory laid out, my main questions are: How do I pass a pulumi type to a resource that implements a plain type? If that’s not possible, is it possible to get around the pulumi provider type checking that is requiring all fields to implement pulumi types when there are dependencies?

Hey is it possible to deploy a local cluster using minikube/kind/k3s using pulumi?

Pulumi keeps overwriting

.kube/config

on

pulumi up

. How do you make it not touch the file?

👋 quick q for yall - we’re using the helm.v3 construct, but the chart we’re consuming wraps an entire resource template with:

if (.Capabilities.APIVersions.Has <some-api-resource-version>)

which always fails, bc apparently this check returns false. is there a known way for pulumi-k8s operators to work around this, specifically around hydrating

.Capabilities

? https://github.com/pulumi/pulumi-kubernetes/issues/196

Hello, i'm disabled the default k8s provider, and now i'm getting the following error when running the code below:

let secrets: pulumi.Output<output.core.v1.ObjectReference[]> = k8s.core.v1.ServiceAccount.get("ksa-".concat(ksa.name),resourceId).secrets;

error: Error: failed to read resource #thx/shared-db-password 'ksa-shared-db-password' [kubernetes:core/v1:ServiceAccount]: 2 UNKNOWN: Default provider for 'kubernetes:core/v1:ServiceAccount' disabled. 'kubernetes:core/v1:ServiceAccount' must use an explicit provider.

looking at the

k8s.core.v1.ServiceAccount.get

api it doesn't allow you to set the k8s provider. i believe this is the same issue as https://github.com/pulumi/pulumi-kubernetes/issues/1945 ?

Hey Pulumi friends, did anyone face warnings about

client-side throttling

? If yes - How did you get rid of them? I keep getting spammed with messages like this during provisioning of my cluster(s):

Diagnostics:
  pulumi:pulumi:Stack (development-localhost):
    I0602 12:31:12.623746   98885 request.go:665] Waited for 1.044442038s due to client-side throttling, not priority and fairness, request: GET:<https://127.0.0.1:6443/api/v1/namespaces/harbor>
    I0602 12:31:23.024342   98885 request.go:665] Waited for 1.019069815s due to client-side throttling, not priority and fairness, request: GET:<https://127.0.0.1:6443/api/v1/namespaces/minio>
  [..]

I found several reports to delete and/or

chown

the

~/.kube/cache

directory. This did not help for me. Any ideas?

how do you guys maintain docker image versions in deployments and helm charts? let’s say I use Operator to deploy a stack, I want something to open PRs on git to keep my image versions current like an SCA like renovate or snyk but for my pulumi code

Hi all, I'm wondering if something already exists for splitting up Pulumi components for Kubernetes into different repositories and enabling/importing them on demand?

For example, if you wanted to enable a Cilium CNI component on a cluster but not Istio

I'm about to start writing a framework that does pretty much exactly this but it seems like somewhat of a common need so I'm interested if anyone has come up with something like it